Last weekend, my AV program just started showing that it found virus win32.ramnit.N and deleted it. Then I did the complete scan of the system and almost for every file it is giving the same message.
Besides this MS word started opening several instances automatically with message that 'Normal.dot' is changed.
I'm using Mcaffe AV as provided by my ISP and my machine is win XP SP3.
Any idea how to clean my system.

Thanks
Darknite

March 21st, 2011, 06:59 PM

westin

I would suggest starting off with the kaspersky rescue cd: http://support.kaspersky.com/viruses/rescuedisk -- This is a bootable Linux ISO. It will take you into a graphical environment, where you can run updates, and then launch a virus scan. This will be more effective than running one inside of Windows.

After the scan has finished, I would recommend downloading Malwarebytes AntiMalware - http://malwarebytes.org - Update and run, then reboot to safemode, and run it again. Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide.

You should also probably run a few other removal tools, as different ones have better success rates depending on the malicious software you are trying to remove. Some other free ones include:

Spybot Search and Destroy
Combofix
Adaware
etc.

Just make sure that you download them from a good location, such as download.com... It might be advisable to download the installation files from a clean computer. If you move them over to the infected computer with a thumbdrive, I would suggest creating a folder on the drive called autorun.inf, and set it to be read only. That will sometimes stop the drive from becoming infected.

You might also want to disable system restore...

I am sure that you will get a dozen other replies to this thread suggesting different things. It is really up to personal preference in the end, but these are usually the steps I take on an infected system.

Good luck!

March 22nd, 2011, 05:23 AM

The-Spec

Quote:

Originally Posted by westin

I would suggest starting off with the kaspersky rescue cd: http://support.kaspersky.com/viruses/rescuedisk -- This is a bootable Linux ISO. It will take you into a graphical environment, where you can run updates, and then launch a virus scan. This will be more effective than running one inside of Windows.

Running a live disk just to launch antiviral software is a waste of time. If you actually need a live disk then you'll end up reinstalling anyway.

Quote:

After the scan has finished, I would recommend downloading Malwarebytes AntiMalware - http://malwarebytes.org - Update and run, then reboot to safemode, and run it again. Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide.

Multiple software just to do the same job twice? Even if one did a better job than another... its just a prime example of failure and inefficiency.

Reinstall then setup a group policy.

March 22nd, 2011, 03:32 PM

westin

Quote:

Reinstall then setup a group policy.

This is valid advice. A full reinstall is the only way to be sure that the infection is completely gone. I use GPOs to curb malware as well. Depending on the environment, I use whitelisting of executables, or software restriction policies [SRPs] to prevent software from running out of the temp folders. You can also lock the system down so that it only runs applications that are installed in the 'Program Files' directory. That, combined with a non-admin user, will help quite a bit when it comes to avoiding infection.

spec - What other policies do you suggest?

March 23rd, 2011, 12:16 PM

nihil

This is a messy one, as there are a number of varietals and it is probably still evolving.

I would say that the simplest solution is to backup what you can (copy the entire HDD if you want) then wipe the drive and reinstall.

If you are going to try to clean it, you must get rid of restore points or at least allow them to be scanned & cleaned (their default is read only).

Because this malware seems to infect executables it is likely that you won't be able to clean everything, so you will lose files and fetch up with an unusable and/or dysfunctional system because of stuff that was deleted or quarantined.

Quote:

Running a live disk just to launch antiviral software is a waste of time. If you actually need a live disk then you'll end up reinstalling anyway.

Not entirely, using a live disk or slaving the drive will let you get rid of stuff that defends itself. On the other hand some malware would need to be dealt with from within Windows, as it needs to run to be detected?

Quote:

Multiple software just to do the same job twice? Even if one did a better job than another... its just a prime example of failure and inefficiency.

Anti-malware is always behind the pace, particularly signature or pattern based ones. It isn't failure or inefficiency, it's the way things work (or not:D). Given well obfuscated versions or new malware the best AV/AM will only score around 40% detection :(

Quote:

Optionally, you can run Ccleaner to clean up your temp folders, and other locations that malware likes to hide

I generally do that and defragment in SAFE MODE first. No point in scanning rubbish, and scans run faster if the pattern files and targets are defragmented.

As you are running XP you might take a look at Online Armor by Tall Emu, and use FF with the NoScript plugin.

SpyBot S&D and Ad-Aware have interactive modules that may provide some additional protection, albeit with possible performance issues on low end machines. They work just fine on a 1.6GHz single core with 1GB 0f 266MHz DDR.

All the good stuff about Polices and restricted user accounts as well ;)

You might also consider using a browser sandbox like Sandboxie or Fortres Grand.

If you reinstall stuff from backups, be sure to scan it first, and I would certainly use more than one application. I use Malwarebytes, Spybot, Ad-Aware and Avira AV. Remember, if you get any hits at all, your backup is probably compromised.